P
US10380337B2ActiveUtilityPatentIndex 72

Configuring a sandbox environment for malware testing

Assignee: JUNIPER NETWORKS INCPriority: Mar 31, 2015Filed: Aug 21, 2017Granted: Aug 13, 2019
Est. expiryMar 31, 2035(~8.7 yrs left)· nominal 20-yr term from priority
Inventors:LANGTON JACOB ASHERADAMS KYLEQUINLAN DANIEL JZHAN ZHENXIN
G06F 21/53G06F 21/566G06F 21/567G06F 2221/033
72
PatentIndex Score
1
Cited by
31
References
20
Claims

Abstract

A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A device, comprising:
 a memory; and 
 one or more processors to:
 receive a file to be analyzed in a sandbox environment; 
 determine file information based on analyzing the file,
 the file information identifying one or more features of a system configuration; 
 
 determine, based on the file information, the system configuration,
 the system configuration including information regarding:
 a compiler to be used by the sandbox environment, and 
 an operating system to be used by the sandbox environment; 
 
 
 configure the sandbox environment using the system configuration; 
 analyze the file in the sandbox environment based on configuring the sandbox environment using the system configuration; 
 determine, based on analyzing the file in the sandbox environment, whether the file includes malware; and 
 selectively:
 perform an action to counteract the malware based on determining that the file includes malware, or 
 permit the file to be accessed based on determining that the file does not include malware. 
 
 
 
     
     
       2. The device of  claim 1 , where the one or more processors, when determining the system configuration, are to:
 determine the system configuration based on client device information regarding a client device for which the file is intended. 
 
     
     
       3. The device of  claim 1 , where the system configuration further includes information regarding at least one of:
 an application used to obtain the file, 
 a version of an application used to obtain the file, 
 an application used to execute the file, 
 a version of an application used to execute the file, 
 a processor architecture capable of executing the file, 
 an interpreter capable of interpreting the file, or 
 a network configuration associated with the file. 
 
     
     
       4. The device of  claim 1 , where the system configuration is identified by client device information associated with a client device for which the file is intended. 
     
     
       5. The device of  claim 4 , where the system configuration further includes information regarding at least one of:
 a set of applications installed on or executing on the client device, 
 a version of a set of applications installed on or executing on the client device, 
 a set of default applications used to execute particular type of files on the client device, 
 a runtime library used by the client device, 
 a runtime system used by the client device, 
 a processor architecture of the client device, 
 an interpreter used by the client device, 
 a file structure associated with the client device, or 
 a network configuration associated with the file. 
 
     
     
       6. The device of  claim 1 , where the file information indicates a first system configuration;
 where client device information indicates a second system configuration; and 
 where the one or more processors, when determining the system configuration, are to:
 select the first system configuration based on the file information, or 
 select the second system configuration based on the client device information. 
 
 
     
     
       7. The device of  claim 1 , where the one or more processors are further to:
 analyze the file for a file indicator that indicates the system configuration; and 
 where the one or more processors, when determining the file information, are to:
 determine the file information based on analyzing the file for the file indicator. 
 
 
     
     
       8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
 one or more instructions that, when executed by one or more processors, cause the one or more processors to:
 receive a file to be analyzed for malware using a sandbox environment; 
 determine file information based on analyzing the file,
 the file information identifying one or more features of a system configuration; 
 
 determine, based on the file information, the system configuration,
 the system configuration including information regarding:
 a compiler to be used by the sandbox environment, and 
 an operating system to be used by the sandbox environment; 
 
 
 configure the sandbox environment using the system configuration; 
 analyze the file for malware using the sandbox environment based on configuring the sandbox environment using the system configuration; 
 determine, based on analyzing the file in the sandbox environment, whether the file includes malware; and 
 selectively:
 perform an action to counteract the malware based on determining that the file includes malware, or 
 permit the file to be accessed based on determining that the file does not include malware. 
 
 
 
     
     
       9. The non-transitory computer-readable medium of  claim 8 , where the one or more instructions, that cause the one or more processors to analyze the file in the sandbox environment, cause the one or more processors to:
 analyze the file in the sandbox environment by executing the file in the sandbox environment and monitoring at least one of the file or the sandbox environment for behavior indicative of the malware. 
 
     
     
       10. The non-transitory computer-readable medium of  claim 8 , where the one or more instructions, that cause the one or more processors to perform the action to counteract the malware, cause the one or more processors to:
 delete the file. 
 
     
     
       11. The non-transitory computer-readable medium of  claim 8 , where the one or more instructions, that cause the one or more processors to perform the action to counteract the malware, cause the one or more processors to:
 monitor the file to identify a device with which the file communicates. 
 
     
     
       12. The non-transitory computer-readable medium of  claim 11 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
 block communications associated with the device. 
 
     
     
       13. The non-transitory computer-readable medium of  claim 11 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
 provide an instruction to another device to block communications associated with the device. 
 
     
     
       14. A method, comprising:
 receiving, by a device, a file to be analyzed in a computing environment; 
 determining, by the device, file information based on analyzing the file,
 the file information identifying one or more features of a system configuration; 
 
 determining, by the device and based on the file information, the system configuration,
 the system configuration including information regarding:
 a compiler to be used by the computing environment, and 
 an operating system to be used by the computing environment; 
 
 
 configuring, by the device, the computing environment using the system configuration; 
 analyzing, by the device, the file in the computing environment based on configuring the computing environment using the system configuration; 
 determining, by the device and based on analyzing the file in the computing environment, whether the file includes malware; and 
 selectively:
 performing, by the device, an action to counteract the malware based on determining that the file includes malware, or 
 permitting, by the device, the file to be accessed based on determining that the file does not include malware. 
 
 
     
     
       15. The method of  claim 14 , where the computing environment is a first sandbox environment;
 where the system configuration is a first system configuration; 
 where configuring the computing environment comprises:
 configuring the first sandbox environment using the first system configuration; 
 
 where the method further comprises:
 configuring a second sandbox environment using a second system configuration; and 
 
 where analyzing the file comprises:
 analyzing the file in the first sandbox environment, and 
 analyzing the file in the second sandbox environment. 
 
 
     
     
       16. The method of  claim 14 , where determining the system configuration comprises:
 determining the system configuration by performing a probabilistic analysis of the file. 
 
     
     
       17. The method of  claim 14 , further comprising:
 determining a likelihood that the system configuration will identify the file as malware; and 
 where determining the system configuration comprises:
 determining the system configuration based on determining the likelihood that the system configuration will identify the file as malware. 
 
 
     
     
       18. The method of  claim 14 , further comprising:
 determining likelihoods that a plurality of system configurations will identify the file as malware; and 
 where determining the system configuration comprises:
 determining the system configuration based on the system configuration having a highest likelihood to identify the file as malware. 
 
 
     
     
       19. The method of  claim 14 , further comprising:
 storing one or more sandbox profiles associated with one or more system configurations; and 
 loading a particular sandbox profile, of the one or more sandbox profiles, that matches the system configuration; and 
 where configuring the computing environment comprises:
 configuring the computing environment based on loading the particular sandbox profile. 
 
 
     
     
       20. The method of  claim 14 , further comprising:
 storing an indicator, associated with the file, that indicates that the file is not suspicious based on determining that the file does not include malware.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.